At 01:03 PM 1/25/01 -0500, William Allen Simpson wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>I've been working with Congresswoman Lynn Rivers on language for
>electronic ballots. My intent is to specify the security sensitive
>information, and encourage widespread implementation in a competitive
>environment. We'd like feedback.
Fun topic.
Some comments:
You should list the desirable properties of a voting system and
then the threats to those properties. Put it on the table for
everyone to see; you're gonna have to educate them in security
analysis. A list of goals might look like:
One man, one vote
Need no skills (eg literacy), just claim Right, state address, sign name
No coercion
Anonymity in voting
One-time Commit (can't change your mind)
(NB Absentee balloters from home will be subject to domestic coercion,
but there's little you can do if the spouse is that controlling.)
You introduce lots of extra tracking numbers, which is a threat to
anonymity. Perhaps it is to defend the one-man-one-vote desirable property
against double-voting attacks, but are those congresscritters aware of this
tradeoff?
Suggestion: You should also sketch a system, and maybe a 'use case'. Is
the goal to let absentee voters use a PC from home? Or to use State PCs
transparently? Or to use State PCs as an excuse to change election
procedures? (I don't mean to be hostile here.)
In fact, what do you expect to gain? Faster results for CNN? That is said
to skew elections. More accuracy? Derived from what?
In fact, you may lose: The user interface may be worse --displays lack
paper's contrast, and pressing lettered keys or using a mouse is beyond
some voters. It can be better ---using the 'radio button' concept to exclude
voting for more than one--- but it takes careful design and experiment.
Its not clear to me if dig certs are being used in your plans to
authenticate voters to voting machines; or to authenticate voting-machines
to state databases. Or both. In my state, we use handsignatures, only, to
authenticate voters.
How do you convince Joe Sixpack that the magic numbers he uses,
and which are linked to his person/residence, aren't linked to his vote?
When you put cards in a box you achieve quasi-anonymity "that you can see".
How do you do this with opaque computers?
How do you avoid a 'traffic analysis'-like attack where you monitor
both the votes sent out to state DB servers and who comes out of the booth?
This would only work on slow polling places, but would let you
link people to their votes. A solution is to batch. Maybe not
worth worrying about, but never a problem before networked computer
voting machines.
At which points in the system would a hacked-keyboard (like the
keystroke recording things that go in-line, but one that changes
votes) be detected?
>(D) UNIFORMITY -- Display of candidates shall be substantially similar
> for each race within a state. On each display, the names of
> candidates may be randomly ordered within each race.
Randomly for each voter? Random by county? Random by race (so that
in Presidents you see Lib/Demo/Repub but when voting for Governor
you see Repub/Lib/Demo)?
Election
> software shall prevent overvote and undervote, and shall allow the
> voter to correct such conditions. Voters unwilling to indicate a
> choice may select "no vote". Where "none of the above" or its
> equivalent is a valid choice, "no vote" shall be a separately
> distinguished choice.
How about voters not willing to vote for anything in that race, *including*
'no vote'? Is "no vote" a radio-button default?
>(E) VERIFIABILITY -- The record shall not include any other personally
> identifiable voter information.
Yeah, why should it, the Government has the lookup table. No difference,
if the Government is the source of the threat to anonymity. Isn't this
part of the threat model?
>SEC. xx20. POLLING SECURITY REQUIREMENTS
>
>(A) AUTHENTICATION -- Transactions registering voter choices shall be
> authenticated by a digital certificate.
A one-time certificate which comes from a machine that's about to take your
vote? What is the point?
Another question: where is your time base from? GPS? The internet
time servers? This matters if/when the computers use their notion of
time to shut voting off.
I don't understand your absentee ballot procedure, except that
legacy paper is still supported via human data entry.
What happens if someone forgets a PIN?
To vote absentee in Calif all you need is a stamp and the ability to write
your signature. Increasing the complexity will deter people. (Where
did that separate letter with the PIN go?)
>(C) DUPLICATES -- When more than one authentic vote by the same absentee
> voter is detected, the last such vote shall supercede any earlier
> vote. An absentee voter appearing at the regular polling place shall
> supercede any earlier vote.
Duplicate votes are not handled the way you propose ("keep the last").
You are changing the law here I think. Besides, you could vote Gore,
see that its a waste, and go back and vote Nader. This violates
a 'single commit' Voting Ideal. This is what I mean by changing
election procedure to accomodate some whizzy new tech.
>(D) TIMELINESS -- Electronic absentee ballots shall be received and
> recorded at least 24 hours prior to the opening of the polls.
Why reject them when the polls start? Give everyone the same deadline.
Or, what is the current policy?
Good luck,
dh
